Ring responsible for Carberp botnet arrested; trojan lives on as crimeware for sale

Over a year after the arrest of eight of its members in Russia, the alleged leader of the original Carberp botnet ring that stole millions from bank accounts worldwide has been arrested, along with about 20 other members of the ring who served as its malware development team. The arrests, reported by the news site Kommersant Ukraine, were a collaboration between Russian and Ukrainian security forces. The alleged ringleader, an unnamed 28-year-old Russian citizen, and the others were living throughout Ukraine.

Initially launched in 2010, Carberp primarily targeted the customers of Russian and Ukrainian banks and was novel in the way it doctored Java code used in banking apps to commit its fraud. Spread by the ring through malware planted on popular Russian websites, the Carberp trojan was used to distribute targeted malware that modifies the bytecode in BIFIT's iBank 2 e-banking application, a popular online banking tool used by over 800 Russian banks, according to Aleksandr Matrosov, senior malware researcher at ESET. The botnet that spread the malware, which was a variant of the Zeus botnet framework, also was used to launch distributed denial of service attacks.

In February of 2011 the group put its malware on the market, selling it to would-be cybercriminals for $10,000 per kit—but it pulled the kit a few months later.

The activity of the ring appeared to die down after the first eight arrests last year, with Carberp malware detection dropping through last spring. But the developers kept coding and brought the botnet and related malware back to market last December—including a brand new and improved "bootkit" version of the trojan for the asking price of $40,000, according to RSA security researchers. Carberp malware was used as part of the "Eurograbber" botnet system uncovered late last year that went after both PCs and smartphones in its financial fraud campaign, netting more than $47 million for its operators.

12 Reader Comments

What goes around, usually does come around. Our digital age leaves so many tracks in the sand, you look hard enough and there's always a trace of anything you do. Anonymity is next to impossible. Play with fire long enough, and you will get burned.

What goes around, usually does come around. Our digital age leaves so many tracks in the sand, you look hard enough and there's always a trace of anything you do. Anonymity is next to impossible. Play with fire long enough, and you will get burned.

Well, except for the people who actually don't get caught. You just never hear about them.

"Carberp primarily targeted the customers of Russian and Ukrainian banks". That was the first thing I looked for. The Russian gov actually enforcing rule-of-law when the targets are foreigners? I couldn't quite imagine it. Sure enough, I was right.